iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications

Authors: 

Zhushou Tang, Shanghai Jiao Tong University and PWNZEN InfoTech Co., LTD; Ke Tang, Shanghai Jiao Tong University; Minhui Xue, The University of Adelaide; Yuan Tian, University of Virginia; Sen Chen, Nanyang Technological University; Muhammad Ikram, Macquarie University; Tielei Wang, PWNZEN InfoTech Co., LTD; Haojin Zhu, Shanghai Jiao Tong University

Abstract: 

Smartphone applications that listen for network connections introduce significant security and privacy threats for users. In this paper, we focus on vetting and analyzing the security of iOS apps’ network services. To this end, we develop an efficient and scalable iOS app collection tool to download 168,951 iOS apps in the wild. We investigate a set of 1,300 apps to understand the characteristics of network service vulnerabilities, confirming 11 vulnerabilities in popular apps, such as Waze, Now, and QQBrowser. From these vulnerabilities, we create signatures for a large-scale analysis of 168,951 iOS apps, which shows that the use of certain third-party libraries listening for remote connections is a common source of vulnerable network services in 92 apps. These vulnerabilities open up the iOS device to a host of possible attacks, including data leakage, remote command execution, and denial-of-service attacks. We have disclosed identified vulnerabilities and received acknowledgments from vendors.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {255230,
author = {Zhushou Tang and Ke Tang and Minhui Xue and Yuan Tian and Sen Chen and Muhammad Ikram and Tielei Wang and Haojin Zhu},
title = {{iOS}, Your {OS}, Everybody{\textquoteright}s {OS}: Vetting and Analyzing Network Services of {iOS} Applications},
booktitle = {29th USENIX Security Symposium (USENIX Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {2415--2432},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/tang},
publisher = {USENIX Association},
month = aug
}

Presentation Video